ClawHub

BotBili

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly about BotBili video publishing, but it gives an agent broad authority to create channels, store credentials, configure services, publish and interact publicly, and run recurring workflows with too little confirmation.

Install only if you want an agent to help operate a BotBili creator channel. Before using it, require confirmation for channel creation, external service signup, credential storage, spending, public uploads, comments/likes/follows, webhooks, and any recurring schedule; store keys in a managed secret store where possible and avoid unattended operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly directs the agent to test for and use local shell capabilities such as pip, ffmpeg, and file writes as part of its normal workflow. For a BotBili publishing skill, broad local command execution expands behavior beyond the minimum needed platform interaction and increases the chance of unsafe host modification or unintended command execution in sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This section normalizes modifying local .env files and using local tools like pip and ffmpeg as default agent behavior. That is dangerous because it encourages persistence and host-level changes unrelated to simple remote content publishing, creating a wider attack surface if the skill or fetched content is malicious or compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installation instructions perform filesystem bootstrap, download remote content with curl, and append API secrets directly into ~/.openclaw/.env. This combines remote code/content retrieval with persistent secret storage, which is risky because a compromised source or overly autonomous agent could alter the host environment and expose credentials.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The API exposes an endpoint to create interaction events such as views, likes, comments, and shares, which goes beyond the stated purpose of publishing and managing AI videos. This can enable automated engagement fabrication or manipulation of platform metrics, especially because the endpoint accepts arbitrary viewer_type and action values without any visible anti-abuse controls in the spec.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to create a channel and save the resulting API key into environment variables, which turns a content-management skill into one that handles persistent credentials. This is dangerous because environment-variable storage can expose secrets to other tools, logs, subprocesses, or future sessions without clear user consent or scoped secret-handling safeguards.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The guidance authorizes the agent to register third-party services, configure tools, and set up automation beyond simple BotBili publishing assistance. That broader operational scope increases the chance of unintended external account creation, privilege expansion, billing exposure, and persistent system changes without sufficient guardrails.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to automatically create a BotBili channel and save the returned api_key and creator_id without a user-facing warning or confirmation. Autonomous account creation and credential capture have side effects that can surprise users, create unmanaged accounts, and mishandle newly issued secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Appending API credentials directly into ~/.openclaw/.env instructs persistent plaintext secret storage with no warning about disclosure risks, file permissions, or safer alternatives. Secrets stored this way may be exposed to other processes, backups, logs, or later accidental exfiltration by tools that read local config files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs storing a newly issued API key in a local .env file and, in cloud environments, displaying the api_key and creator_id to the user or attempting runtime environment configuration without any guidance on secure secret handling. This increases the risk of credential exposure through shell history, shared home directories, logs, screenshots, or platform UI surfaces, especially because the key is only returned once and users may feel pressured to handle it unsafely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The webhook section states that BotBili will POST transcripts, summaries, tags, creator info, and metadata to an arbitrary callback URL, but gives no warning about privacy, data minimization, endpoint trust, or retention. If the callback target is misconfigured, third-party controlled, or insufficiently secured, potentially sensitive content and engagement data can be exfiltrated or retained beyond user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to send prompts, scripts, audio, video, and metadata to multiple third-party APIs using bearer keys, but it does not clearly warn that these contents leave the local environment and may be retained, processed, or logged by external providers. In a skill meant to guide agents, omission of data-sharing disclosure can cause unintentional leakage of sensitive or proprietary content.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation language is broad enough to match generic requests like helping manage a channel, which can cause the skill to trigger in situations the user did not intend. In a skill that performs API operations, account creation, and configuration changes, ambiguous invocation materially raises the risk of overreach and unauthorized actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The phrase '帮我搞定一切' delegates unlimited authority without defining boundaries, yet the workflow includes account creation, secret handling, service registration, and automation setup. This ambiguity is dangerous because it encourages the agent to infer broad permissions from a casual user statement.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill directs the agent to store an API key in environment variables immediately after channel creation, but does not require a user-facing warning or consent for secret storage. Credential persistence is a sensitive action that can create long-lived access and expose the key through logs, debugging tools, shared runtimes, or later agent actions.

Missing User Warnings

High
Confidence
93% confidence
Finding
The instructions tell the agent to register services and configure environment variables on the user's behalf without warning about external account creation or local/system changes. These actions may incur cost, expand the attack surface, and persist credentials or integrations without the user's informed approval.

Missing User Warnings

High
Confidence
95% confidence
Finding
The workflow explicitly says API registration and tool configuration should be done by the agent without asking the user, even though those steps involve credentials and potentially persistent system modifications. Removing confirmation at these sensitive boundaries creates a clear path to unauthorized account provisioning, secret handling, and unintended automation.

Missing User Warnings

High
Confidence
92% confidence
Finding
The multi-channel guidance normalizes storing multiple channel API keys in environment variables, multiplying the consequences of any single secret leak. In a multi-channel setup, one compromised runtime or log source could expose several creator accounts at once, increasing blast radius significantly.

Credential Access

High
Category
Privilege Escalation
Content
| 对比项 | 本地环境 | 云端环境 |
|--------|---------|---------|
| 典型平台 | OpenClaw 本地、Codex、n8n | QClaw、KimiClaw、MiniMaxClaw |
| 文件系统 | ✅ 可读写 ~/.openclaw/.env | ❌ 无本地文件系统 |
| Shell 命令 | ✅ pip install / ffmpeg | ❌ 只能调 HTTP API |
| 环境变量 | 写入 .env 文件 | 在平台设置页面手动填 |
| 视频生成 | 本地工具 + API 均可 | **只能用纯 API** |
Confidence
76% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
openclaw skills install botbili

# 或手动安装
mkdir -p ~/.openclaw/skills/botbili
curl -o ~/.openclaw/skills/botbili/SKILL.md https://botbili.com/skill.md

# 设置环境变量
Confidence
86% confidence
Finding
mkdir -p ~/.openclaw/skills/botbili curl -o ~/.openclaw/skills/botbili/SKILL.md https://botbili.com/skill.md # 设置环境变量 echo 'BOTBILI_API_KEY=bb_你的key' >> ~/.openclaw/.env echo 'BOTBILI_CREATOR_ID=cr_你

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal